jsDelivr CDN URLs #180
Replies: 1 comment 2 replies
-
|
I sent an email to jsDelivr about giving API access to us to purge cache in CDN URLs. We may create a GitHub action or use it if there are any existing ones and run it after every release. |
Beta Was this translation helpful? Give feedback.
-
|
I already got the access and it's already enabled for us 😊 But that was not my point. Using current API doesn't solve problems I mentioned above. |
Beta Was this translation helpful? Give feedback.
-
|
Oh, lol 😖 . I misread the part where you specified that information. I asked Dimitry from jsDelivr if they are planning to add authorization to their API. To that day, we can move on by specifying the version number. However, I believe mentioning this would not be enough. 😊 +1 for considering an autonomous updating version in the readme file + stories (Vue, React). We can discuss further the issue. |
Beta Was this translation helpful? Give feedback.
-
Currently we promote to use
@betaversion to use via CDN with the url:https://cdn.jsdelivr.net/npm/@trendyol/baklava@beta/dist/baklava.js
And we were planning to use
@latestonce we have a stable release.jsdelivr CDN caches those urls for 7 days, means when we made a beta release, users can start to use it one week later if they don't specifically mention the new version number in the URL. jsDelivr has a cache purge API endpoint and for now it's enabled by asking. I asked it for our library and they enabled it for us. They provided a basic HTTP input to invalidate CDN cache per url. But the problem is that endpoint doesn’t use authentication and basically open for everyone. That means this is open for abusing. Some attackers can clean caches for urls for continuously and this can reduce the frontend performance of users of our library dramatically.
Fortunately CDN cache can not be purged for full version urls (like https://cdn.jsdelivr.net/npm/@trendyol/[email protected]/dist/baklava.js) even with purge cache endpoint. To not risk have any risk we should promote using full version urls instead of alias URLs until jsDelivr provides a better cache purge api with authentication (they said they are working on it).
Since we are making automated release, it doesn’t look good to manually change url in our Readme file every time. Maybe we can consider to automatically replace version number in Readme file before publishing our storybook and npm release if a release will be needed for this pipeline. Or, we can just mention this definition in Readme file without giving a real version number.
Anyone has an opinion on that?
Beta Was this translation helpful? Give feedback.
All reactions